Addressing Challenges with Challenge Questions

Did you happen to see the article that ran last Monday (May 18) on MIT Technology Review online entitled “Are Your ‘Secret Questions’ Too Easily Answered?” We read this with great interest, mainly because we believe that the proper use of challenge questions as back-up authentication can definitely make your authentication process more robust. HOWEVER, implementing challenge questions without a defined strategy will certainly generate and increase security risks.

Requiring that users resetting passwords answer only a single challenge question — not to mention one that had been selected from the typical short list of generic questions such as “What is your favorite city?” and “What is your favorite sports team?” — makes it just too easy for potential hackers to guess the answer and gain access to sensitive and private information. Such questions have a limited number of possible answers, allowing the guessing game to be that much more easy. Even with more personal yet general questions such as “Where did you go to high school?” or “What is your dog’s name?”, someone with very little knowledge of the user can make a pretty good guess.

That is why, as part of the stronger authentication capabilities we offer our customers, we provide multiple challenge question functionality for password recovery/reset that allows IT security administrators to create 10 questions that users provide answers to at the initial set-up. These questions can be as secure as the administrators want to make them. Then, the administrators can configure whether users are asked to respond to three, five or more randomly selected questions from the list to perform the password reset. For administrators who need assistance creating challenge questions that will not have common answers yet will be easy for users to remember, our professional services team is equipped with ideas.

As Stuart Schechter, the Microsoft researcher quoted in the article points out, “Back-up authentication schemes should have two important characteristics. They should be reliable, allowing a legitimate user to gain access to his or her account, and they should be secure, preventing unauthorized users from gaining access.” Our multiple challenge question functionality possesses both.

Access Control: More Critical in Today's High Risk Environments

There are too many opportunities available in large organizations for people to try to gain unauthorized access to networks and databases.  With the downturn in the economy prompting layoffs, downsizing and consolidation, companies are seeing an increase in the incidence of insider hacking.  The insider threat is the hardest to detect, yet it poses the greatest risk to data security and regulatory compliance.  Numerous user authentication actions, such as using expired and weak passwords, making password changes, and striking out, could signal a security risk. Some of these events may require immediate attention if the security of the enterprise could be compromised.

Controlling access is a critical requirement for protecting customer and financial data, and even more imperative for safeguarding corporate assets during these difficult times.  The news last year that a Countrywide employee with access to sensitive data had been arrested for taking 2 million names and personal information from the mortgage bank and selling them for a profit demonstrates the potential impact of a single insider and the need to have controls and monitoring in place.  Clearly, even authorized users can misuse data or handle information in unauthorized ways. 

With an authentication solution that has the ability to manage and monitor user login activity, organizations can achieve greater access control and have a vital tool for gaining knowledge on where security risks may lie.  Auditing may be considered a sub-set of security, but we cannot overstate its value for the larger enterprise that oversees tens of thousands of users at multiple levels (both internal and external) and with access rights of varying degrees.  With access control and auditing capabilities, an organization can significantly reduce the risk of insider hacking events, generate greater security administration efficiencies and reduce auditing and compliance costs.  In terms of what it can save in potential costs due to intrusions and unauthorized access to and handling of sensitive data, access control can provide a tremendous return on investment.

Tales of Tailored Authentication

We’ve found that over 25% of our customer engagements involve making adaptations to Password Power, our authentication software framework. Many organizations need to implement an authentication system that fits tightly with their environment, meets their specific security and compliance requirements and addresses their unique complexities. We’re focused on getting the word out about our flexibility to deliver a tailored authentication solution for our customers and have the case studies to demonstrate it!

We recently issued a press release on the tailored authentication solution we installed for the German military. This press release was featured on numerous media sites, including Investor’s Business Daily.

The German military needed to enhance security and enable self-service password recovery for its 140,000 users. Full details on this will be in a soon-to-be published case study; however, you can find more information on this customer engagement as well as our other tailored authentication deployments in our newsletter, the Technical Journal for Password Management. Issue Q4 2008 showcases six case studies in tailored authentication, each involving different authentication technologies, such as smart cards and government CAC cards, different platforms, and different issues, such as reducing logins to diverse applications and increasing access control.